Q&A with CRANIUM: Easing Compliance with “GDPR in a Box”

As GDPR’s implementation date nears, more and more organizations are working to put in place the necessary pieces of their compliance puzzle. It’s a big and complex undertaking, and many are probably wishing, “If only there were a ‘GDPR in a Box’ that would take care of this for me.”

Well, you’re in luck! Belgium based CRANIUM, an international consulting company specializing in privacy, data protection and information security, has an offering called exactly that: GDPR in a Box. We asked Gert Maton, a Principal Consultant at CRANIUM, what the Box is all about, how it’s helping their customers, and how you may benefit from it.

Introduce yourself and your role at CRANIUM

I’m Gert Maton, Principal Consultant at CRANIUM, helping customers in their GDPR and privacy challenge. Next to that I’m responsible for Partner Management, Sales and some products like “GDPR in a Box” within CRANIUM. I joined CRANIUM a year ago, seeking a new challenge with a consulting company that looks at the entire picture when it comes to the protection of privacy and security.

What is “GDPR in a Box” and how did your team come up with the idea for it?

“GDPR in a Box” is a solution for all small and medium companies to help them respect the privacy of their customers or employees. We have seen that these companies often don’t have the right people in their organization to tackle the challenges that come along with the GDPR. Yet, these companies have a tendency to do a lot of the work on their own, instead of hiring consultants or lawyers to help them with such challenges.

Still, a lot of them treat a significant amount of personal data of their customers and employees and, more often than we think, treat special categories of data or big data sets of personal data. Next to that, these companies are mostly not equipped with large legal and ICT service departments and use tooling fit for their business, apart from secure tools or licensed solutions. This increases chances of getting a personal data breach (for example: losing personal data or theft of personal data).

Also these companies are required to respect the privacy of individuals since the GDPR is applicable to them. Next to that, if you look towards the professional environment around GDPR, most of us are dealing with large enterprises and international organizations. Setting up a Register of Processing Activities, complex Data Processing Agreements and all-inclusive DPIA’s that really are not fitted for use in smaller organizations. There is/was not really a solution fitting the needs of the SME in relation to GDPR.

So we came up with the “GDPR in a Box”. Based on our experience, our tools and a pragmatic and feasible approach, the SME’s can do it themselves based on the content of the Box. So our “GDPR in a Box” is not just a set of templates offered in a Box, it is a balanced journey of getting complaint and respecting the privacy of individuals fitted for your organization. It contains the right content and guides you through the project.

Describe how an organization would use the “GDPR in a Box”.

As mentioned before, the “GDPR in a Box” really fits SME’s. Every organization that cares about the privacy of their customers and/or employees can use it.  The Box can be bought online as it is or with a limited amount of consultancy days.

If you order the regular box, we will send this to you. The aim of the box is that it is that balanced, that you can work your way through it without any help. Of course it helps if you have any experience in compliancy projects or have a certain knowledge in ICT of Legal. And yes, we are aware that not everything is that evident within GDPR, therefore we added 3 credits for our Privacy and Security Helpdesk to it. When you are stuck, you can contact us and we will give you insights on how to continue.

The result should be that your organization is really on the good path towards GDPR compliancy when you executed what is in the Box.

The Box that includes consultancy days, is ideal for companies that wish to do most of the work themselves, but want to make sure that what they are doing, is correct, or need a back-up if questions arise. These consultancy days can be provided on site (if this is feasible) or through video call. Typically we will organize a kickoff and awareness for half a day and defining the approach and the project plan with you. Then you go to work with it, after a few weeks we will come back a day to evaluate progress and execute what you don’t understand. Again a few weeks later we do a final wrap-up, and then the goals is to be compliant.

Of course full compliancy is hard to achieve and will change over time, so keeping this top of mind afterwards is maybe the most important advice I want to give.

Any success stories you can share?

Yes, and not only in Belgium. Our Box has been sold in different countries. Also, a lot of partners of CRANIUM want to work together on the Box in order to customize it for a specific sector. Therefore the concept of this Box is also very flexible in terms of content, partnership and targeted enterprises.

Due to the fact that we very well balanced the content of the Box and found a pragmatic approach on the execution of it, we have received a lot of positive feedback from the partners and customers that already used it or participated in a partnership or evaluation of the Box.

In the future, you will probably see more translations and local advice on retention and policies. Also subscriptions on the Box are considered to be able to stay in touch with the changes within GDPR and always gain from having the latest advice or templates.

Does GDPR in a box have a cost? How can people find out more about it?

The Box itself can be purchased on our online platform for only €625 or $887, the version with the consultancy days will be available for €2499 or $3480.

More information on the exact content and the conditions can be found on www.cranium-online.com.

- - 

Similar to CRANIUM’S turnkey “GDPR in a box” starter kit for GDPR compliance, HackerOne offers a simple way to get started with managing vulnerabilities from outside parties; we call it HackerOne Response.

HackerOne Response is your the tool of choice for organizations like GM, DoD, and Adobe as part of establishing a compliant process for receiving and acting on vulnerabilities discovered by third-parties.

Our advice regarding GDPR has always been to find and fix vulnerabilities before they can be exploited. There’s no disclosure requirement for bugs, only for breaches, and running a vulnerability disclosure program is a great way to identify vulnerabilities before the bad guys do (and avoid the ugliness of a breach and the requirements under GDPR Article 33).

Contact us to get started with HackerOne Response.

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.